Security vendor Avast has warned that those using mobile banking apps are at a greater risk of falling victim to cybercrime. The warning was released at Mobile World Congress (MWC). It draws on a survey of 40,000 consumers in 12 countries.
Users were shown images of official mobile banking apps and the fake equivalents. Worryingly, 58% identified the valid app as being a fake and 36% mistook the fake app for the real app. Interestingly when comparing different countries, 67% of users in Spain misidentified the real app. In the US that figure was just 40%.
Gagan Singh, Senior Vice President and General Manager of Mobile at Avast said: “We are seeing a steady increase in the number of malicious applications for Android devices that are able to bypass security checks on popular app stores and make their way onto consumers’ phones. Often, they pose as gaming and lifestyle apps and use social engineering tactics to trick users into downloading them.”
Last week Avast warned of the Tempting Cedar Spyware. This worked by persuading users to visit a fake site, change the settings on their device and download the app. It bypassed the security protections of the Google Play store.
Singh continued: “More often than not, consumers can rely on trusted app stores like Google Play and Apple’s App Store to download applications, but extra vigilance is also advised. It’s important to confirm that the banking app you are using is the verified version. If the interface looks unfamiliar or out of place, double-check with the bank’s customer service team. Also use two-factor authentication if it’s available and make sure you have a strong antivirus for Android installed to detect and protect you from money-grabbing malware.”
Avast detecting an increase in mobile banking Trojans
Over recent months Avast claims that it has detected an increase in the number of mobile banking Trojans. These are aimed at users of several banks including Citibank, Wells Fargo, Santander, HSBC, ING, Chase, Bank of Scotland and Sberbank. What makes these banks attractive to hackers is not necessarily the net worth of its customers but the volume of potential victims.
In addition to creating fake websites and mobile apps, hackers are also using other attacks to grab banking credentials. They do this through legitimate looking applications. One way that this happens is that they write an innocuous applications such as a game or utility. It is then placed into the Google Play or iOS store. After a few releases and once the number of downloads has grown, an update with malicious code is released. As the previous version was deemed safe these malicious versions often get into app stores. When a user updates the app the malware is installed on their device and it hunts for banking apps.
According to Avast what happens next is: “If a user opened the banking application, the malware would create a fake overlay on top of the genuine app with the goal of collecting the customer’s banking details and sending them on to the attacker.”
What does this mean?
Banks are keen to get users onto mobile apps. They see them as a way to keep in contact with users and as a handy sales tool. Use the browser on a mobile device to connect to a banking website and the bank will prompt you to download the app.
Hackers use exactly the same approach to get their apps onto devices. They create highly accurate copies of a bank website and then send out phishing emails. Users who click on the links in the email are taken to the fake bank site. From there they are guided through the steps to install the fake banking app. From that point on the hackers are capable of stealing credentials and money.
Most banks are adding multifactor authentication to help protect users. However, many users choose not to use them. One reason is that they are seen as being intrusive. Another is that banks don’t explain the benefits very well. Some banks also provide free security software from third parties that run on desktops and mobile devices. However, downloads of these tools are limited.
There is no easy way to solve this problem. Banks won’t enforce security on users for fear of them going elsewhere. Users, on the other hand, need to take more responsibility for their banking security. This is a problem that is not going away.